Business Needs for Group Policy

Business Needs for Group Policy

Before implementing a Group Policy, you must perform an assessment of the business's needs to determine where in the business the management is required and the level of management that needs to be implemented. Use the following questions as a guideline when assessing the needs of the business:

• Which areas of the client's computing environment need to be controlled?

• Which areas in the business require administration?

• Do all areas in the business require the same level of management? Do some areas require a high level of management, while other areas require minimal management?

Determining the different levels of management required throughout the business is important because they have an impact on the creation of lower-level OUs in the Active Directory hierarchy. Because Group Policies can be linked to the various levels in the Active Directory hierarchy, using the preceding questions as a guide also helps the design team determine where in the hierarchy the policies should be linked to best serve the needs of the IT organization.

To determine this, you must first understand what Group Policy can do.

What Does Group Policy Do?

Group Policy is a tool that allows for centralized administration. It can be used to configure and set standards for the computing environment (both client and computer) in a business. Group Policies are linked to containers in the Active Directory hierarchy, and all objects in the container are affected by the policy settings. This is unlike policies in Windows NT 4.0, which are directly applied to groups, users, and computers. Figure 6.1 shows the general settings that can be configured for both users and computers.

The Microsoft Management Console (MMC) snap-in is used to manage Group Policy settings. The snap-in is available automatically when using the Active Directory Users and Computers or the Active Directory Sites and Services snap-in. You can also create a custom MMC console to use exclusively for modifying Group Policy. Use the following steps to open the Group Policy snap-in:

1. Launch the Microsoft Management Console by clicking Run from the Start menu and typing in MMC .

2. From the Console menu, select Add/Remove Snap-In.

3. Select Add from the dialog box that appears.

4. Select the Group Policy snap-in, and click Add.

5. Select Finish, and then select Close to make the Group Policy snap-in available.

6. You might want to save this console. Select the Console menu, and select Save As; then specify the name and location of the MMC configuration ( .msc ) file that stores the console settings. It can subsequently be used to launch the MMC with the configured snap-ins.

Software Settings

Using Group Policy, administrators can manage the distribution and installation of software from a central location. Software can be installed, removed, updated, repaired, assigned, and published from a central location. This makes the administration and distribution of software much simpler, especially in an enterprise environment.

One of the strongest features of Group Policy is that it gives administrators the ability to assign or publish applications to users in a selected Group Policy object (GPO). A GPO contains the policy settings that are applied to users and computers. Assigning an application makes that application mandatory, and it cannot be uninstalled by the user . Publishing an application makes it available to the users, and they have the choice of whether to install it.

Applications can be assigned to both users and computers. However, applications can be published only to users, not to computers.

Windows Settings

Group Policy can also be used to apply security settings throughout the Active Directory hierarchy. Windows settings enable you to configure script settings and security settings for both users and computers. The security settings that can be configured define the security configuration for the user or computer. Figure 6.2 shows the Windows settings that can be applied.

The security settings that can be applied to a computer include password policies, account lockout policies, and audit policies. Security policies for computers are most commonly applied to (and should be applied to) domain controllers and other servers in the network. For example, a security policy can be applied to domain controllers that govern who is able to log on to them locally.

One of the advantages of Group Policy in Active Directory is that different user account policies can be created for different areas in a domain. If you recall from Windows NT 4.0, only one user account policy can be created per domain, and it affects all users. Now, separate policies can be created, allowing for better administrative control, which is also true for computer account policy.

Through the Windows settings in the Group Policy snap-in, logon/logoff and startup/shutdown scripts can be configured. The logon/ logoff scripts are applied to users regardless of from which computer they log on. The startup/shutdown scripts are applied to the computers regardless of which user logs on.

Administrative Templates

By using the administrative templates, Registry settings for users and computers can be configured and the user interface can be preconfigured and enforced. For example, by using the options available under Administrative Templates, a standard configuration can be applied to groups of users and computers. If both users and computers in a specific department require a common desktop configuration, a Group Policy can be applied to enforce the necessary configuration.

More than 400 options can be configured, including the user's Start menu, taskbar, desktop, and network connections. Figure 6.3 shows the general settings under the administrative templates, each of which has several configurable options.

A number of options can be configured through Group Policy for users and computers. Which options are used and where in the hierarchy the GPO is linked are dependent on the administrative model and level of management required.